Avoid Costly Inter-Cloud Routing Mistakes with an Intent Check

Engineers and accountants share a common trait — they don’t like surprises, especially when they come in the form of cloud bills that are much higher than anticipated. Because cloud computing is billed on consumption, similar to electricity, some fluctuations are normal and unavoidable. However, a simple intercloud routing error can easily deliver a six-figure surprise. Without proactive checks, IT teams are completely unaware of the issue until the bill arrives. 

A Google search for “unexpected AWS charges” returns hundreds of thousands of results. Bear in mind, that’s only the people who took to the web to vent or ask for help — meaning the problem is likely much more widespread. 

In addition to economic consequences, inefficient traffic routing to and from your various cloud instances and other services can also lead to bandwidth and latency issues that undermine network and app performance. While your users won’t likely know the network paths that they take regularly to access critical apps is costing your business more than it should, they’ll definitely know if their experience reaching and using those resources is suboptimal.

So, how can you identify and fix inter-cloud routing mistakes across all your cloud instances — including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure — quickly and easily, while maintaining application availability? By using the intent check feature in the Forward Enterprise platform from Forward Networks. 
Confirming What Works While Finding a More Efficient Approach

Forward Enterprise lets you visualize your entire cloud estate alongside your on-premises environment in a single normalized view. The intent check feature in the platform helps you confirm that the traffic to, from, and between your cloud environments is taking the desired path. If there’s a routing change that violates policy, the appropriate team is immediately alerted so they can fix it before the problem grows. 

For example, say that a user in your GCP production instance wants to access the internet, and your security policy is set so that they have permission to access the internet directly from GCP. However, with the path visualization in the Forward Enterprise dashboard, you can see that the path the user currently takes to the internet isn’t direct. 

Instead of going from GCP and through the Google NAT gateway to reach the internet — the most efficient path — the user is traversing through a virtual private network (VPN) that then takes them through a managed NAT gateway in AWS. The result: the user gets to the internet, but the organization is triple-charged for the multiple connections — paying for an egress charge from GCP and for the managed NAT and internet gateways in AWS.

With the intent check feature in Forward Enterprise, you can confirm that the path the user is currently taking to the internet works — even if it’s costly and creates latency. Intent check can also automatically check that the path is there every time Forward Enterprise takes a new snapshot of your network. In this manner, intent checks provide engineering teams with automatic validation that the posture they require is in place. 
Global View of Path Trace — users can drill down to  a single device detail view
Next, you can use an intent check to learn if the more efficient pathway (GCP → Google NAT gateway → internet) is available and working. The intent check determines that it’s not, categorizing the connection on the list of available paths from GCP to the internet as “failed.” You can then route a ticket to the network teams in AWS and GCP to investigate and resolve the connectivity issue, which is likely due to a misconfiguration. 
Intent checks can be used to prevent multi-cloud routing mistakes
Powerful Insights from Read-Only Data

Forward Enterprise needs only a basic set of API connectivity to access the data required to show all possible traffic paths into your cloud environments. All permissions we use to collect data are read-only.

We collect config and state data from all your on-premises devices, such as routers, switches, load balancers, and firewalls. And we use publicly available APIs to gather similar read-only information for your various cloud accounts, including those with major providers, to create a digital network twin. 

A Single Source of Truth for Your On-Premises, Hybrid, and Multi-Cloud Estate
Forward Networks’ mathematical model creates a complete and always current digital twin of your physical, virtual, and multi-cloud network estate, including config and state information for all network elements and your hybrid or multi-cloud environment. The digital twin provides a comprehensive view of all network behavior, with visibility into every possible path a packet can take. It brings mathematical certainty to network security validations by enabling security operations teams to:

VISUALIZE network layer 2 – 4 topology and all possible traffic paths within a single pane of glass including on-premises, Cloud (AWS, GCP, and Microsoft Azure), and virtualized environments. Then, drill down to specific devices and traffic flows, including configuration and state data. View the global network in a single view or drill down to a single device.

SEARCH the entire estate as simply as a database. Our browser-like search feature performs complete end-to-end path analyses across the network for both on-premises and cloud infrastructure. This also enables you to locate devices and access detailed information on their location, configuration, and state in milliseconds. 

VERIFY that the security policies are extended to the cloud using purpose-built (custom) intent checks. Continuously audit the network and receive actionable alerts for non-compliance with your security policies. Know that applications are compliant before provisioning them.

COMPARE network changes over time to understand their impact on the network and prevent incidents from reoccurring. The network collector frequently scans the network, taking and saving network configurations, topology, and device state snapshots. These “snapshots” become a searchable historical record of network behavior and compliance at any point in time. And the behavior diffs feature makes it easy to quickly find and compare snapshots to identify changes that may violate your security policy.
Explore All Aspects of Your Compute Environment With Forward Enterprise
See for yourself how the Forward Enterprise platform can help your network and security teams to monitor and verify all your clouds through a single pane of glass and explore any object in your cloud environment to ensure everything is working exactly as it should be. To see this feature and the power of a network digital twin in action, please request a demo.

Read more cloud use cases

Verify security policies in the cloud

Deploying traditional security controls is ineffective in the cloud since defensible perimeters are erased, component virtualization and decentralization obscures visibility, and automated configuration tools are required at scale. Forward Networks can help you verify that the same policies you have in place on-prem are being enforced in the cloud by enabling engineers to visualize cloud and on-prem environments in a single normalized view. 

An intuitive approach to visualizing, monitoring, and verifying your multi-cloud estate in a single pane of glass

While the cloud delivers on the promise of agility, it also creates challenges in understanding traffic behavior from the point of access, within and between clouds. With the Forward Enterprise platform from Forward Networks, you can now visualize and monitor your entire estate in an always up-to-date, vendor-agnostic model where data is presented in an intuitive, actionable format — in a single pane of glass. 

Automating security for cloud application provisioning

Often conducted manually, secure application provisioning can be painfully slow; essentially eradicating the benefits of cloud. Without a single source of truth and the ability to visualize all potential traffic paths, it’s nearly impossible to ensure that the intended security and connectivity policies are applied to new cloud applications. Which is why we’ve extended the secure application functionality of Forward Enterprise to the cloud. 


Reduce mean time to innocence with hop by hop visibility

Your network and security teams’ struggle to understand what’s happening across your cloud estate is due largely to a lack of appropriate tools. The tools they use to validate connectivity and security for on-premises networking are completely different from those used for the cloud — and between clouds. The Forward Enterprise platform helps your teams by providing a clear visualization of your cloud estate alongside your on-premises environment in a single normalized view.
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram